From a736c129659999f08a6a7e021142aca8883233c9 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Mon, 8 Aug 2022 13:26:10 -0400
Subject: [PATCH] Add warning when generate_lease=true (#16398)

This option is known to cause problems with large numbers of issued
certificates. Ensure admins are warned about the impact of this field
and encourage them to disable it.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 builtin/logical/pki/path_roles.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/builtin/logical/pki/path_roles.go b/builtin/logical/pki/path_roles.go
index e3a3b909638ae..f20c79eb53321 100644
--- a/builtin/logical/pki/path_roles.go
+++ b/builtin/logical/pki/path_roles.go
@@ -735,6 +735,9 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data
 		}
 	} else {
 		*entry.GenerateLease = data.Get("generate_lease").(bool)
+		if *entry.GenerateLease {
+			warning = "it is encouraged to disable generate_lease and rely on PKI's native capabilities when possible; this option can cause Vault-wide issues with large numbers of issued certificates"
+		}
 	}
 
 	resp, err := validateRole(b, entry, ctx, req.Storage)
@@ -939,6 +942,10 @@ func (b *backend) pathRolePatch(ctx context.Context, req *logical.Request, data
 		} else {
 			entry.GenerateLease = oldEntry.GenerateLease
 		}
+
+		if *entry.GenerateLease {
+			warning = "it is encouraged to disable generate_lease and rely on PKI's native capabilities when possible; this option can cause Vault-wide issues with large numbers of issued certificates"
+		}
 	}
 
 	resp, err := validateRole(b, entry, ctx, req.Storage)